Cybersecurity Alert: Vulnerabilities Found in D-Link NAS Devices Open Doors to Exploitation
Recent findings reveal that threat actors are actively exploiting security weaknesses affecting approximately 92,000 D-Link network-attached storage (NAS) devices exposed to the internet. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273, are categorized with high CVSS scores of 9.8 and 7.3, respectively. They specifically impact legacy D-Link products that have reached their end-of-life status. In an advisory statement, D-Link announced that it will not be providing patches for these issues, instead advising customers to replace their vulnerable devices.
The vulnerabilities reside in the nas_sharing.cgi URI, where two critical issues are present: a backdoor created by hard-coded credentials and a command injection vulnerability associated with the system parameter. These weaknesses allow unauthorized access, potentially enabling attackers to execute arbitrary commands on the affected devices. As highlighted by security researcher netsecfish, such exploitation could facilitate access to sensitive data, configuration changes, or even lead to denial-of-service conditions.
Notably, the affected models include DNS-320L, DNS-325, DNS-327L, and DNS-340L. The threat intelligence firm GreyNoise reported that attackers have been observed attempting to leverage these vulnerabilities to deploy Mirai botnet malware, thereby gaining remote control over the targeted D-Link devices. This tactic indicates a sophisticated approach, as threat actors are rapidly evolving their techniques to exploit new vulnerabilities, demonstrating a persistent commitment to compromise network devices.
In the absence of a fix, cybersecurity experts at the Shadowserver Foundation are advising users to either remove these devices from the network or implement firewalls to restrict remote access. As Mirai botnets adapt to incorporate new vulnerabilities, the ongoing trend of targeting network devices raises alarms among cybersecurity professionals.
The growing threat landscape has prompted cybersecurity experts to take note of how financially motivated and nation-state-linked attackers are shifting their focus toward malware-initiated scanning attacks. According to Palo Alto Networks Unit 42, these attacks often originate from benign networks, likely driven by malware-infected machines. By utilizing compromised hosts to conduct scanning operations, adversaries can conceal their tracks, bypass geofencing measures, and leverage significant computational resources to amplify their scanning efforts.
As businesses increasingly depend on network devices, the implications of these vulnerabilities extend beyond mere technical concerns. Executives must remain vigilant and proactively assess their cybersecurity measures, understanding that adversaries will continue to adapt and exploit weaknesses in their pursuit of unauthorized access.
In summary, the discovery of these vulnerabilities in D-Link NAS devices underscores the critical need for businesses to regularly evaluate their hardware and software security postures. By staying informed and taking preventative measures, organizations can fortify themselves against the evolving tactics and techniques outlined in the MITRE ATT&CK framework, mitigating the risks associated with potential cyber threats.
